An aggregate of all of GoVanguard’s InfoSec & Cybersecurity related Posts, News, Threats and Data Feeds.

image
If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device. The IRS says it will require ID.me for all logins later this summer. McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders. These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day. Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else's name, and now the IRS is about to join them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued…

Source

image
The mobile app that all attendees and athletes of the upcoming Beijing Winter Olympics must use to manage communications and documentation at the event has a “devastating” flaw in the way it encrypts data that can allow for man-in-the-middle attacks that access sensitive user information, researchers have found. MY2022 is an app mandated for use by all attendees – including members of the press and athletes – of the 2022 Olympic Games in Beijing. The problem is, it poses a significant security risk because the encryption used to protect users’ voice audio and file transfers “can be trivially sidestepped” due to two vulnerabilities in how it handles data transport, according to a blog post from Citizen Lab posted online Tuesday. Additionally, “server responses can also be spoofed, allowing an attacker to display fake instructions to users,” Citizen Lab’s Jeffrey Knockel wrote in the post. MY2022 collects info such as health customs forms that transmit passport details, demographic information, and medical and travel history, which are vulnerable due to the flaw, he said. It’s also not clear with whom or which organizations this info is shared. MY2022 also includes a feature that allow users to report “politically sensitive” content, as well as a censorship keyword list. While the latter is “presently inactive,” it targets a variety of political topics, including domestic issues such as Xinjiang and Tibet as well as references to Chinese government agencies, Knockel wrote….

Source

image
A new phishing campaign is targeting aspiring government vendors with an invitation to bid on various fake federal projects with the U.S. Department of Labor. Emails branded to look like legitimate communications from the DoL contain malicious links that, rather than leading to a government procurement portal, harvest the credentials of anyone who attempts to login, according to a new report from threat researchers at INKY. “In this campaign, the majority of phishing attempts had sender email addresses spoofed to look as if they came from no-reply@dol[.]gov, which is the real DoL site,” the INKY team reported in a Wednesday report. “A small subset were spoofed to look as if they came from no-reply@dol[.]com, which is, of course, not the real DoL domain.” The remainder were sent by phishers from lookalikes dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us. The phishing lure email texts claim that the DoL is soliciting bids for “ongoing government projects,” and included a .PDF file attached with government branding. The threat researchers said the efforts were “well-crafted.” “Click on the button below to access our website to bid,” the phishing email instructs. Once clicked, the link takes victims to various domains impersonating the DoL. Copy & Paste Spoof of DoL Site The malicious site was a copy-and-paste of the website styling code (both HTML and CSS) from the actual Department of Labor site, with the addition of a bright red link directing victims to a credential…

Source

In August 2021, the subtitling website Open Subtitles suffered a data breach and subsequent ransom demand. The breach exposed almost 7M subscribers' personal data including email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

Source

In April 2021, Indian brokerage firm Upstox suffered a data breach. The incident exposed extensive personal information on over 100k customers including names, genders, dates of birth, physical addresses, banking information and passwords stored as bcrypt hashes. Extensive “know your customer” information was also exposed including scans of bank statements, cheques and identity documents complete with Aadhaar numbers. The data was provided to HIBP by a source who requested it be attributed to “white_peacock@riseup.net”.

Source

image
Here, have a can of soup. Nah, we don’t know what’s in it. Could be 30 percent insect parts, could be seasoned with rat hair, who can say? The ingredients keep changing anyway. Just pour it into your network and pray. That, unfortunately, is the current state of cybersecurity: a teeth-grinding situation in which supply-chain attacks force companies to sift through their software to find out where bugs are hiding before cyberattackers beat them to the punch. It’s a lot easier said than done. The problem has been underscored by the massive SolarWinds supply-chain attack and by organizations’ frustrating, ongoing hunt for the ubiquitous, much-exploited Log4j Apache logging library. The problem predates both, of course: In fact, it’s one of the “never got around to it, keeping meaning to” issues that one security expert – Sophos principal security researcher Paul Ducklin – stuck an elbow in our rib about when it came time for end-of-year coverage. “We’re awash in supply chain attacks, whether they’re caused by active and purposeful hacking into software providers to poison code on purpose (e.g. Kesaya), or by an inattentive and casual attitude to sucking software components into our own products and services without even being aware (e.g. Log4Shell),” Ducklin said. “For years, we’ve batted around the idea that computer software and cloud services ought to have a credible Bill of Materials that would make it easy to figure out which newsworthy bugs might apply to each and every…

Source

image
It’s not my intention to be alarmist about the Log4j vulnerability (CVE-2021-44228), known as Log4Shell, but this one is pretty bad. First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times_ every minute._ The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage. OK, maybe it is time for alarm. Log4j is open-source software from the Apache Software Foundation. As explained by The Conversation, this logging library is widely used to record events such as routine system operations and errors, and to communicate diagnostic messages regarding those events. A feature in Log4j allows users of the software to specify custom code for formatting a log message. This feature also allows third-party servers to submit software code that can perform all kinds of actions – including malicious ones – on the targeted computer. The result of an exploit for the bug is that an attacker can control a targeted server remotely. Attackers Took Early Advantage Within weeks of discovery of the flaw in mid-December, it was already reported that nation-state actors linked to North Korea, China, Iran…

Source

image
Organizations running sophisticated virtual networks with VMware’s vSphere service are actively being targeted by cryptojackers, who have figured out how to inject the XMRig commercial cryptominer into the environment, undetected. Uptycs’ Siddharth Sharma has released research showing threat actors are using malicious shell scripts to make modifications and run the cryptominer on vSphere virtual networks. “Cryptojacking campaigns mostly target the systems having high-end resources,” Sharma pointed out. “In this campaign as we saw the attackers tried to register the XMRig miner itself as a service (daemon), which runs whenever the system gets rebooted.” To avoid detection, the script also downloads a user-mode rootkit from the command-and-control server (C2), the report added. “The shell script also contains commands which download the miner, the config file and the user mode rootkit from the attacker’s web server,” the report explained. “The attackers used [the] wget utility to fetch the malicious components and chmod utility to make the components executable.” The report said the rootkit gets saved as “libload.so” and the script modifies vSphere to run the XMRig cryptominer. Source: Uptycs. After the cryptominer is dropped, the script reloads the service to get the miner started, Sharma explained. The report also reported the attacker’s wallet has been paid 8.942 XMR, the report said, or about $1,790 as of press time. VMware Services Under Attack VMware services have…

Source

image
A new ransomware family, White Rabbit, chewed through a local U.S. bank last month — and it may be connected to the financially motivated advanced persistent threat (APT) group known as FIN8, researchers said. In a Tuesday report, Trend Micro researchers said that this twicky wabbit knows how to burrow away where it can’t be spotted. In fact, it looks like the operators behind the White Rabbit ransomware have taken a page from the more established ransomware family known as Egregor when it comes to hiding their malicious activity, researchers said. Egregor, which claimed responsibility for a well-publicized cyberattack on Barnes & Noble in October 2020, is a ransomware-as-a-service (RaaS) player that sparked an FBI warning after compromising more than 150 organizations in short order after its birth. White Rabbit may be sneaky, but it leaves tracks. The ransomware was spotted by multiple security outfits, and was first detected on Dec. 14 by the Lodestone Forensic Investigations team, which said that it had seen some White Rabbit activity a few days earlier, on Dec. 11. But the earliest stirrings date back to July 10, when a PowerShell script was executed – a script that held script blocks that matched those described in a July 27 Bitdefender article on FIN8. The Dec. 14 White Rabbit attack was also publicly disclosed on Twitter that same day by security researcher Michael Gillespie (@demonslay355). 🔒 #Ransomware Hunt: "White Rabbit" with extension ".scrypt", drops note…

Source

image
A critical security vulnerability in the Zoho ManageEngine Desktop Central and Desktop Central MSP platforms could allow authentication bypass, the company has warned. The bug (CVE-2021-44757) could allow a remote user to “perform unauthorized actions in the server,” according to the company’s Monday security advisory. “If exploited, this vulnerability may allow an attacker to read unauthorized data or write an arbitrary .ZIP file on the server.” Zoho’s ManageEngine Desktop Central is a unified endpoint management (UEM) solution that lets IT admins manage servers, laptops, desktops, smartphones and tablets from a central location. Users can automate routines like installing patches, deploying software, imaging and deploying OS, according to the company’s documentation. It can also be used to manage assets and software licenses, monitor software-usage statistics, manage USB device usage, take control of remote desktops, and more. On the mobile side, users can deploy profiles and policies; configure devices for Wi-Fi, VPNs, email accounts and so on; apply restrictions on application installs, camera usage and the browser; and manage security with passcodes and remote lock/wipe functionality. As such, the platform offers far-reaching access into the guts of an organization’s IT footprint, making for an information-disclosure nightmare in the case of an exploit, potentially. As well, the ability to install a .ZIP file paves the way for the installation of malware on all of the…

Source